- NAKIVO Backup & Replication v10: vSphere, Linux support, P2V, Wasabi - Thu, Aug 6 2020
- Azure Arc: Manage multi-cloud, on-premises, and edge environments - Tue, Aug 4 2020
- Automate Windows without network connectivity with Ansible - Tue, Jul 28 2020
With many organizations today having shifted to a remote work configuration for the majority of their employees, there are certain pain points with supporting remote workers that can certainly arise. One of the basic problem areas of supporting remote workers, any end users really, is locked out accounts and expired passwords.
Additionally, verifying users who call in to the service desk to have a password reset poses a security risk to the organization. How can you verify the user is who they say they are and prevent a social engineering attack? Specops has released a brand-new product called Secure Service Desk that helps to solve this problem.
What is Specops Secure Service Desk? ^
What is the new Secure Service Desk exactly? It is a solution that allows your service desk technicians to provide assistance to end users via human interaction. When working with end users on the phone, service desk technicians can use the Secure Service Desk solution to verify the end user’s identity by enforcing the use of the identity services the end user has been pre-enrolled with. Options include OTPs via email or mobile and 3rd party identity services all of which can leverage existing user data in Active Directory.
Service desk includes the following abilities:
- Verify user identity
- Enforce user authentication
- Unlock accounts and reset passwords
It makes these processes secure by the use of multi-factor authentication. It supports a number of multi-factor authentication providers including:
- Mobile and Email Code
- Duo Security
- Okta Verify
It’s not surprising to see Specops in this space as they are a major provider of various password management tools and authentication solutions for a number of years now. This is certainly a hot topic for security today as many organizations have come to realize that passwords and user identity can often be the weak link in overall security and is often the primary “hole in the armor” for data breach in many organizations.
Let’s take a look at the new Specops Secure Service Desk tool and see how it can bolster the security of user identity, password resets, and self-service for end users.
Installation and configuration
There are basically two components to setting up the Specops Secure Service Desk. You will setup the following:
- Specops Secure Service Desk cloud account
- An on-premises “Gatekeeper” component
In setting up both components, I was pleasantly surprised at how quickly and easily both were configured.
Setting up the Specops cloud account
The first component of the Secure Service Desk is to sign up and create the Specops cloud account. Specops will create a new account for you with an appended UPN suffix to your existing forward-facing domain name so that it is unique.
Once you have created your account and logged in, you will see the Specops Authentication dashboard. Here you will be presented with a workflow to finish configuring your Secure Service Desk.
As mentioned earlier, the solution requires that you have an on-premises component called the “Gatekeeper” to integrate with your on-premises Active Directory environment. Click the button Create new Gatekeeper.
For instructions on installing the on-premises Gatekeeper component, see the documentation provided by Specops here: Specops Gatekeeper installation
Configuring the Service Desk
Actually, by default, there isn’t anything you are required to configured outside of configuring the Gatekeeper to get started with the Service Desk portal. It will already be integrated with your Active Directory environment and will have visibility to the enrollment of the various users. However, as shown below, you can click the Configure button to configure Policy settings that affect the types of identity verification you want the service desk technician to have to perform before managing users through the portal and which ones will be extended to end-users to user verification at the service desk.
You can select the identity services you want to make use of and check these as required for verification.
Additionally, from the portal there is a setting to force identity verification. If this is checked, service desk agents will have to successfully verify users’ identities before being able to perform a password reset for example.
There is also reporting available to keep track of when user verification was performed, what identity service was used during verification, and account unlocks and password resets. This is a very useful report and it can be exported to CSV, Excel, Json, and other formats.
Now, let’s look at the service desk itself. Once you navigate to the dashboard for Service Desk, click the “hamburger” menu in the upper right-hand corner. You can then search for users you want to verify.
Select the user you want to work with.
As the user is on the phone with the service desk technician, they click the Verify identity button.
This launches the verification screen. Here you can choose the quick verification mechanism to verify an end user based on the services the end user enrolled in. As you can see in the screen below the user icon is in red indicating that the user’s identity has not been verified. In this example, , I am using the mobile code to verify. This will text a code to the phone number enrolled for the user.
As you can see, the end user would truly have to be in possession of the mobile device to verify the identification request which makes it increasingly difficult for an attacker to circumvent.
The service desk technician will then enter the code the end user repeats to them and clicks Verify.
If you note above, the service desk technician can actually navigate to the Reset Password link without verifying the user first. If you want to force identity verification before a password reset, there is a setting to do this. Additionally, you can also select to have a password randomly generated and sent to an end user without the service desk technician seeing it.
This may be required in various regulatory compliance frameworks and is generally good security hygiene as well. This eliminates any chance of a service desk technician having possession of a legitimate user password in the process.
As you can see below, the Reset Password link is greyed out, until the user is verified. This will provide an effective means of circumventing social engineering attacks where a service desk technician is persuaded to simply reset the password without verifying the end user.
Additionally, with the random password option selected, the password is randomly generated and texted to the user in this scenario with the mobile code configured.
The user’s password is randomly generated and texted to the user. The password is successfully changed to the password messaged to the user.
Wrapping Up and final impressions ^
I found the features of Specops Secure Service Desk to be excellent for organizations looking to improve the security of service desk operations and bolster their password reset solution. It provides the means for service desk technicians to effectively verify the identity of a supposed end user who requests a password reset. This should make it exponentially more difficult for an attacker looking to perform a social engineering or other type of attack to steal credentials.
As shown, IT administrators can enforce the setting to require identity verification before resetting a password for an end user. Additionally, you can also prevent a service desk technician from ever possessing an end user password by enforcing a random password generation that is securely sent to the end user.
For a fully-featured trial version of the software, take a look at the Specops Secure Service Desk download.